Privacy policy

Plain-language summary

Annual Tabletop is a B2B SaaS product. We collect the data we need to deliver tabletop exercises, generate after-action reports, and bill our customers. We do not sell personal data. We do not use customer scenario content, decisions, or AAR contents to train third-party models.

Who this applies to

This policy covers the marketing site at annualtabletop.com and the Annual Tabletop product. It covers visitors, trial users, paying customers, and individuals who participate in an exercise on behalf of a paying customer.

What we collect

Account data.Name, work email, organization name, role, and the tier you're on. Used for authentication, billing, and customer communications.

Exercise data. Which scenario ran, who participated, the decisions captured, and the generated AAR. This is the product of record and belongs to the customer organization.

Product telemetry. Standard page-view and feature-event telemetry so we can improve the product. IP addresses are hashed at collection; individual-level PII is not stored alongside telemetry.

Support interactions. Email, chat, and call content you send us directly. Retained for the life of the customer relationship plus one year.

What we do not collect

We do not run third-party advertising trackers on the marketing site or in the product. We do not collect biometric data. We do not require customers to upload personal data — the product is designed around organizational decision-making, not individual personal data. If a customer uploads personal data as part of a custom scenario, it is covered by the DPA and the security commitments on the Security page.

Cookies and local storage

The marketing site sets the following cookies and localStorage keys. Items marked “analytics” are only set after you accept the consent banner.

Vercel Analytics (our primary page-view analytics) is cookieless by design and does not set any cookies. It is loaded only after you accept the consent banner.

Cookie consent

A consent banner appears on your first visit. You have two choices: Accept or Reject. If you accept, analytics scripts (Vercel Analytics and StatCounter) are loaded. If you reject, no analytics scripts load and no analytics cookies are set.

Your choice is stored in your browser's localStorage for 30 days. After 30 days the banner re-appears so you can make a fresh choice. You can change your choice at any time using the “Privacy Choices” link in the site footer.

Global Privacy Control

We honor the Global Privacy Control (GPC) signal. When your browser sends Sec-GPC: 1, we treat it as a legally binding opt-out: analytics are automatically rejected without showing the consent banner. This applies under the CCPA/CPRA, Colorado Privacy Act, and other U.S. state privacy laws that recognize GPC as a valid opt-out mechanism.

Do Not Sell or Share

Annual Tabletop does not sell or share personal data as defined by the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). We do not run advertising trackers, do not share data with data brokers, and do not engage in cross-context behavioral advertising.

You can opt out of all analytics at any time using the consent banner or the “Privacy Choices” link in the site footer. For CCPA-specific data requests (right to know, right to delete, right to opt out), email privacy@annualtabletop.com. We do not discriminate against users who exercise their privacy rights.

How Atlas processes exercise text

Atlas is our AI facilitator. During an exercise, player inputs, injects, and facilitator prompts are sent to a model provider over a TLS-terminated private connection. Model providers are contractually bound to a zero-retention data-processing addendum — your exercise text is not retained by the model provider and is not used to train any model, ours or theirs. See the sub-processors list for the specific providers.

Sub-processors

Our current sub-processor list is at /legal/subprocessors and updated on a 30-day notice cadence. Customers on annual contracts may object to a new sub-processor that materially changes the data-handling posture of their account.

Your rights

Customers and individual participants may request access, correction, deletion, or export of their data by emailing privacy@annualtabletop.com. We respond within 30 days. For GDPR / UK GDPR / CCPA / CPRA specific requests, the same address is the controller / business contact.

Retention

AARs default to a seven-year retention to match the longest common audit retention (CJIS, HIPAA, FFIEC). Customers may configure a shorter retention or request on-demand deletion. Deletion is propagated to backups on the 35-day backup-rollover cycle.

International transfers

Customer data sits in U.S. regions by default. For EU / UK customers whose data crosses the Atlantic, we rely on Standard Contractual Clauses (EU Commission 2021/914) and the UK IDTA addendum, both included in our DPA.

Children

Annual Tabletop is a B2B product not directed at children under 16. We do not knowingly collect data from children. If you believe a child has provided data to us, email the privacy address above.

Changes

We announce material changes to this policy on the status page 30 days before they take effect. Non-material clarifications may land without notice and are logged in the page history.

Contact

Privacy questions: privacy@annualtabletop.com. Security incidents: see our Security page. Mailing address is provided in the DPA.

This policy is operational and binding on us. It will be replaced verbatim or clarified by the counsel-reviewed final at sign-off; in the meantime, the commitments here govern.